SQL Server 2016 Security Features Mike Herman Omni Resources
Current Features in SQL Server 2014 SQL Server 2000 and before – No native tools for encryption Data at rest encryption could be done with 3rd party tools, or by encrypting the entire drive (TrueCrypt,etc) Cell Level Encryption – Introduced with SQL Server 2005 Transparent Data Encryption (TDE) Introduced with SQL Server 2008 Certificate based transport encryption SSL: Protects data on the network 2 | 4/10/2019 | SQL Server 2016 Security Features
Why New Security Features? Boundries 3 | 4/10/2019 | SQL Server 2016 Security Features
New For SQL Server 2016 Always Encrypted Dynamic Data Masking Row Level Security 4 | 4/10/2019 | SQL Server 2016 Security Features
Always Encrypted Prevents Data Disclosure End-to-end encryption of individual columns in a table with keys that are never given to the database system. Queries on Encrypted Data Support for equality comparison, incl. join, group by and distinct operators. Application Transparency Minimal application Changes via server and client library enhancements. Connection string change: Column Encryption Setting=enabled"; 5 | 4/10/2019 | SQL Server 2016 Security Features
Always Encrypted Types Deterministic Encryption Same plaintext value Same encrypted value Supports indexing, equality comparison, JOINs, DISTINCT Randomized Encryption Same plaintext value Different encrypted value Supports retrieval of encrypted data No SQL operations supported 6 | 4/10/2019 | SQL Server 2016 Security Features
Always Encrypted 7 | 4/10/2019 | SQL Server 2016 Security Features
Always Encrypted 8 | 4/10/2019 | SQL Server 2016 Security Features
Always Encrypted The magic is in the encryption keys 9 | 4/10/2019 | 9 | 4/10/2019 | SQL Server 2016 Security Features
Always Encrypted Demo 10 | 4/10/2019 | 10 | 4/10/2019 | SQL Server 2016 Security Features
Dynamic Data Masking Limits Sensitive Data Exposure Sensitive data is masked Administrators control access Useful for Compliance Helps adhering to privacy standards imposed by regulation authorities. Application Transparency No application changes. Existing queries keep working. 11 | 4/10/2019 | SQL Server 2016 Security Features
Dynamic Data Masking 12 | 4/10/2019 | 12 | 4/10/2019 | SQL Server 2016 Security Features
Dynamic Data Masking Obfuscates data using 4 masking functions Default: depends on data type Email: aXXX.XXXX.com Partial: prefixXXXXXXsuffix Random: random number in a range Data is stored unmasked Masking happens on result set formation. GRANT UNMASK to disclose data Works in Azure SQL Database (preview) 13 | 4/10/2019 | SQL Server 2016 Security Features
Dynamic Data Masking Demo 14 | 4/10/2019 | 14 | 4/10/2019 | SQL Server 2016 Security Features
Row Level Security Fine-grained access control In multi-tenant databases, limits access by users who share the same tables. Centralized Security Logic Predicate-based access control logic resides inside the database and is schema-bound to the tables it protects. Application Transparency No application changes. Existing queries keep working. 15 | 4/10/2019 | SQL Server 2016 Security Features
Row Level Security 16 | 4/10/2019 | SQL Server 2016 Security Features
Row Level Security Predicate function Security predicate User-defined inline iTVF implementing access control logic Can be arbitrarily complicated Security predicate Applies a predicate function to a particular table (APPLY) Two types: filter predicates and blocking predicates Security policy Collection of security predicates Manages security across multiple tables 17 | 4/10/2019 | SQL Server 2016 Security Features
Row Level Security Demo 18 | 4/10/2019 | 18 | 4/10/2019 | SQL Server 2016 Security Features
Q&A Questions 19 | 4/10/2019 | SQL Server 2016 Security Features
References Gianluca Sartori - SQL Saturday #495 SQL Saturday #69 Always Encrypted On MSDN Getting Started With Always Encrypted Performance Impact of Always Encrypted Dynamic Data masking Using Dynamic Data masking Row Level Security on MSDN Introduction to Row Level Security 20 | 4/10/2019 | SQL Server 2016 Security Features